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Enter 



WATERMARKED OBJECT GENERATION 
(n universal watermarks hidden in each object) 



800 



Watermarked object 



DISTRIBUTION OF 
WATERMARKED OBJECT 
(fingerprinting and encryption of 
each watermarked object) 
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Download of universally 
watermarked, encrypted and fingerprinted 
object to requesting client PC 



LICENSE TRANSACTION FOR EACH 

REQUESTING CLIENT 
(in exchange for payment, obtain license 
for selected rights to use watermarked object) 



1100 



License downloaded 
to each client 



LICENSE VERIFICATION, 
OBJECT DECRYPTION AND ENFORCEMENT 
(at object run/play time) 
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1300 



V sent to O/S 



OBJECT USAGE 
(Use watermarked objects at each client PC 
in accordance with user requests, UR, and 
rights, V, granted to that client) 
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Encrypted object Cj 



O 



WM 



fe 



Publisher's public key 
cert (PK^) 



VID 



PK 



VID 



License Lj 

j ENCRYPTpjg (SIGN V1D (V, PID, k e ;, CID, t j5 t e )); 



Watermark key 
triple 



root PK 



Client's key pair 



(SKj, PKj) 
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supplied by publisher 330 
to client PCj (400) 



-< 



^ supplied by watermarking 
authority 340 to client PCj (400) 

fabricated by client PCj (400) 
(PKj is certified) 
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OBJECT USAGE 



1450 



Use object M, i.e. here Of*^ 1 , in accordance with user's request (UR) 

but as limited, where appropriate, by rights vector V. 
UR e {1,2,3} where: UR = 1 indicates a user request to run an object 
UR = 2 indicates a user request to store the (encrypted) object 
UR = 3 indicates a user request to modify the object; 

then: 

If (UR = 2 AND v 2 = 1) , allow storage of object M in encrypted store; 
If (UR = 3 AND v 3 = 1), allow modifications to unencrypted object M; or 
If (UR = 1 AND Vj = 1) , then if (v 3 = 0) check publisher's signature on M, and 

allow object to execute. 
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-- CLIENT WATERMARK KEY 
ASSIGNMENT PROCESS 
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Watermarking 
Authority 340 
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_2_ 
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Select particular watermark key, Kj, 



for use on client PC 
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Establish a database entry associating 

client PG; i.e. CID, and 
watermark key, Kj, assigned to that PC. 
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Encrypt watermark key, Kj, using certified 
public key of client PCj (PIC). 
Download encrypted watermark key 
to client PCj. 



encrypted watermark key 



Client PC 400 (PCp 

Establish secure session with 
watermarking authority 340; 
Provide certified public key PKj and 
CID (computer ID) of client PCj to 

WA server 345; 
Issue request for watermark key, Kj. 
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Decrypt watermark key. 
Store resulting key, Kj, in 
Key Manager 640 
in, e.g., Enforcer 600 (or 600'). 

Switch client O/S to 
"initialize" state to permit use of 
protected objects. 
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NEW WATERMARK KEY 
PROVISIONING PROCESS 



Watermarking 
Authority 340 
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Yes 



Abort 
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Yes 
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Select new watermark key, Kj', 



for client PC 
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Set issue and expiration times 
(Tp T e ') for key Kj' accordingly. 
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Send new certificate and new 
watermark key triple to client PCj 



(Certificate, (K^ T/, T e ')) 



1660 



Client PC 400 (PCp 

Establish a secure session with 
watermarking authority 340 
using old (existing) 
certificate for PKj. 



Store (Certificate, key triple) 
-► in Key Manager 640 
in Enforcer 600 (or 600'). 



